TR Daily DATA Privacy Act Would Require Opt-Out for Sensitive Data
Friday, March 1, 2019

DATA Privacy Act Would Require Opt-Out for Sensitive Data

Sen. Catherine Cortez Masto (D., Nev.) has introduced a bill that would require companies that collect data on 3,000 or more users a year to disclose their data collection and privacy practices, to provide “conspicuous” access to a means of opting out of data collection, and to obtain affirmative opt-in consent before collecting sensitive personal information and before collecting, using, or disclosing personal information “for purposes outside the context of the relationship” of the covered entity and the individual whose information is involved.

Sensitive data includes data related to “health, biologic, physiologic, biometric, sexual life, or genetic information,” as well as “the precise geolocation information of a device associated with an individual.”

The proposed Digital Accountability and Transparency to Advance (DATA) Privacy Act would also impose data minimization requirements.

The DATA Privacy Act would also require the Federal Trade Commission to adopt rules implementing the legislation’s required data and data security practices and its requirements for giving individuals control over the use of their data, including access to the collected data, the means to dispute and resolve inaccuracies, the ability to delete collected data, and, “when technically feasible,” to port their data “in a format that is standardized and interoperable.”

The DATA Privacy Act would require covered entities with annual revenues in excess of $25 million to designate at least one privacy protection officer with responsibility for educating employees about compliance requirements, training employees involved in data processing, conducting compliance audits, maintaining records on data security practices, serving as the point of contact between the covered entity and enforcement authorities, and “advocat[ing] for policies and practices within the covered entity that promote individual privacy.” It would prohibit companies from firing or otherwise penalizing a privacy protection officer for performing the tasks assigned by the legislation.

The bill would authorize the FTC to enforce violations of its provisions as violations of rules promulgated under the FTC Act’s prohibition on unfair or deceptive acts of business practices. It would also authorize FTC enforcement of the DATA Privacy Act against common carriers, notwithstanding the common carrier exemption in the FTC Act. It also would authorize enforcement by state attorneys general.

It would add privacy and confidentiality research to the projects eligible for existing cyber security research grants administered by the National Institute of Standards and Technology.

“From my time as Nevada’s Attorney General, I’ve fought for consumers who’ve been harmed by data breaches at major companies and defrauded by scammers who stole their data,” Sen. Cortez Masto said. “My legislation takes a proactive approach to protecting consumer data by ensuring Americans have a voice in how their consumer data is used.”

In a statement, Public Knowledge policy fellow Dylan Gilbert took a mixed view of the bill.

“There is much to like in Sen. Cortez Masto’s DATA Privacy Act, including requirements for plain-language privacy notices, data minimization mandates, and grants of authority to the Federal Trade Commission and state Attorneys General to bring civil penalties against first-time privacy offenders. Importantly, this bill also moves beyond the notice and consent focus of many past privacy bills to include outright bans on data practices likely to result in unfair discrimination against a broad range of protected characteristics such as race and gender,” Mr. Gilbert said.

“Unfortunately, the bill lacks elements that are necessary to any comprehensive federal privacy bill. For example, it preserves an outdated distinction between sensitive and non-sensitive data, lacks requirements for companies to conduct privacy risk assessments for high-risk data processing, and, crucially, does not provide consumers with a private right of action to have their day in court individually and as a class to seek damages and injunctive relief for violations of their privacy. We look forward to working with Sen. Cortez Masto to protect consumer privacy through a more comprehensive bill,” he added. —Lynn Stanton, [email protected]


Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More